Methods and apparatus for managing objects in a storage environment

ABSTRACT

Some embodiments are directed to accessing a content unit stored in a storage environment that includes a plurality of storage clusters, wherein multiple versions of the content unit are stored on at least two different clusters in the storage environment. The storage environment and/or the requesting entity may identify the at least two storage clusters that store the content unit and select one of clusters as storing a valid version of the content unit.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a divisional of U.S. application Ser. No.12/800,448, entitled “METHODS AND APPARATUS FOR MANAGING OBJECTS IN ASTORAGE ENVIRONMENT,” filed on May 14, 2010. The entire contents of thisapplications are incorporated herein by reference in their entirety.

FIELD OF THE INVENTION

The present invention relates to data storage and, more particularly, tomethods and apparatus for managing objects in a storage environment.

DESCRIPTION OF THE RELATED ART

The capacity and performance of a data storage system depends on thephysical resources of the storage system. For example, the quantity ofdata that a storage system is capable of storing is dependent on thenumber and capacity of the physical storage devices that the storagesystem possesses. As the quantity of data stored on the storage systemapproaches the storage capacity of the storage system, it may be desiredto increase the storage system capacity by adding additional physicalstorage devices to the storage system. However, there may be physicallimits imposed by the hardware configuration of the storage system onthe number of storage devices that the storage system may have.Consequently, when a storage system approaches or nears it storagecapacity, it may no longer be possible or desirable to add more physicalstorage devices to the storage systems. Rather, if it is desired toincrease storage capacity, one or more additional storage systems may beused.

SUMMARY OF THE INVENTION

One embodiment is directed to a method of accessing a content unitstored in a storage environment that includes a plurality of storageclusters, wherein the content unit is stored on at least two of theplurality of storage clusters. The method comprises acts of: initiatingan operation to modify the content unit; causing each of the pluralityof storage clusters to perform a search for the content unit;identifying, based on the search, the at least two storage clusters thatstore the content unit; selecting one of the at least two of theplurality of storage clusters as storing a valid version of the contentunit; performing the operation to modify the content unit on the validversion of the content unit stored by the selected one of the pluralityof storage clusters; and when at least one of the at least two clustersdoes not store information indicating that the content unit storedthereon is an invalid version, storing validity information on each ofthe at least two storage clusters that does not store informationindicating that the content unit stored thereon is an invalid version,where the validity information indicates the content unit stored thereonis an invalid version.

Another embodiment is directed to at least one computer readable mediumencoded with instructions that when executed by one of a plurality ofstorage clusters in a storage environment, perform a method comprisingacts of: receiving a request, from a host computer, to read the contentunit, the request identifying the content unit via an object identifierassigned to the content unit; causing each of the plurality of storageclusters to perform a search for the content unit; receiving, from eachof the plurality of storage clusters that stores the content unit, avalidity indicator for the content unit; determining, based on thevalidity indicators, which one of the plurality of storage clusters thatstores the content unit stores a valid version of the content unit; andreturning the valid version of the content unit in response to therequest.

A further embodiment is directed to a computer system that operates asone of a plurality of storage clusters in a storage environment, thestorage cluster comprising: at least one memory that storesprocessor-executable instructions for accessing a content unit, whereinthe content unit is stored on at least two of the plurality of storageclusters; and at least one microprocessor, coupled to the at least onememory, that executes the processor-executable instructions to: initiatean operation to modify the content unit; cause each of the plurality ofstorage clusters to perform a search for the content unit; identify,based on the search, the at least two storage clusters that store thecontent unit; select one of the at least two of the plurality of storageclusters as storing a valid version of the content unit; perform theoperation to modify the content unit on the valid version of the contentunit stored by the selected one of the plurality of storage clusters;and store a status content unit on each of the at least two clustersthat does not already store a status content unit for the content unit,wherein the status content unit indicates which of the at least twoclusters stores the valid version of the content unit.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a block diagram of a distributed storage environment on whichembodiments of the present invention may be implemented;

FIG. 2 is a block diagram of a host computer interacting with a storageenvironment with multiple clusters;

FIG. 3 is a block diagram of a host computer sending a request for acontent unit stored on two different clusters in a storage environment;

FIG. 4 is a block diagram of multiple host computers writing the samecontent to a storage environment having multiple clusters;

FIG. 5 is a block diagram of a blob/content descriptor file (CDF) pair;

FIG. 6 is a flow chart of an illustrative process for modifying acontent unit stored on multiple clusters in a storage environment bymarking unmodified copies as invalid, in accordance with someembodiments;

FIG. 7 is a flow chart of an illustrative process for reading a contentunit stored on multiple clusters in a storage environment in whichcopies marked as invalid are disregarded, in accordance with someembodiments;

FIGS. 8A and 8B are a flow chart of an illustrative process formodifying a content unit stored on multiple clusters in a storageenvironment in which a new content unit is created to identify the validcopy, in accordance with some embodiments;

FIGS. 9A and 9B are a flow chart of an illustrative process for readinga content unit stored on multiple clusters in a storage environment inwhich the valid copy is determined from a status content unit, inaccordance with some embodiments;

FIG. 10 is a diagram of a database table that associates the writetimestamp for a content unit with an object identifier for the contentunit, in accordance with some embodiments;

FIG. 11 is a flow chart of an illustrative process for modifying acontent unit stored on multiple clusters in a storage environment, inwhich the write timestamp for invalid copies is used to identify thosecopies as invalid, in accordance with some embodiments;

FIG. 12 is a flow chart of an illustrative process for reading a contentunit stored on multiple clusters in a storage environment, in which thevalid copy is determined using the write timestamps for the contentunits, in accordance with some embodiments;

FIG. 13 is a diagram of a primary storage environment having multipleclusters and a backup storage environment having multiple cluster andserving as a replication target for the primary storage environment;

FIG. 14 is a flow chart of an illustrative process for replicating acontent unit from a primary storage environment to a backup storageenvironment, in accordance with some embodiments;

FIG. 15 is a flow chart of an illustrative process for replicating apreviously-replicated content unit from a primary storage environment toa backup storage environment after modification of the content unit inthe primary storage environment, in accordance with some embodiments;and

FIG. 16 is a block diagram of a computer that may be used in someembodiments to implement certain systems.

DETAILED DESCRIPTION

I. Challenges Related to Single Instance Storage in Multi-ClusterStorage Environments

Some embodiments relate to challenges presented in performing singleinstancing of objects stored in a multi-cluster distributed contentaddressable storage environment.

A. Object Addressable Storage Systems

Some storage systems require that the access requests identify data tobe accessed using logical volume and block addresses that define wherethe units of data are stored on the storage system. Such storage systemsare known as “block I/O” storage systems. In some block I/O storagesystems, the logical volumes presented by the storage system to the hostcorrespond directly to physical storage devices (e.g., disk drives) onthe storage system, so that the specification of a logical volume andblock address specifies where the data is physically stored within thestorage system. In other block I/O storage systems (referred to asintelligent storage systems), internal mapping techniques may beemployed so that the logical volumes presented by the storage system donot necessarily map in a one-to-one manner to physical storage deviceswithin the storage system. Nevertheless, the specification of a logicalvolume and a block address used with an intelligent storage systemspecifies where associated data is logically stored within the storagesystem, and from the perspective of devices outside of the storagesystem (e.g., a host) is perceived as specifying where the data isphysically stored.

In contrast to block I/O storage systems, some storage systems receiveand process access requests that identify a data unit or other contentunit (also referenced to as an object) using an object identifier,rather than an address that specifies where the data unit is physicallyor logically stored in the storage system. Such storage systems arereferred to as object addressable storage (OAS) systems. In objectaddressable storage, a content unit may be identified (e.g., by hostcomputers requesting access to the content unit) using its objectidentifier, and the object identifier may be independent of both thephysical and logical location(s) at which the content unit is stored(although it is not required to be because in some embodiments thestorage system may use the object identifier to inform where a contentunit is stored in a storage system). From the perspective of the hostcomputer (or user) accessing a content unit on an OAS system, the objectidentifier does not control where the content unit is logically (orphysically) stored. Thus, in an OAS system, if the physical or logicallocation at which the unit of content is stored changes, the identifierby which host computer(s) access the unit of content may remain thesame. In contrast, in a block I/O storage system, if the location atwhich the unit of content is stored changes in a manner that impacts thelogical volume and block address used to access it, any host computeraccessing the unit of content must be made aware of the location changeand then use the new location of the unit of content for futureaccesses.

One example of a type of an OAS system is a content addressable storage(CAS) system. In a CAS system, the object identifiers that identifycontent units are content addresses. A content address is an identifierthat is computed, at least in part, from at least a portion of thecontent (which can be data and/or metadata) of its corresponding unit ofcontent. For example, a content address for a unit of content may becomputed by hashing the unit of content and using the resulting hashvalue as the content address. Storage systems that identify content by acontent address are referred to as content addressable storage (CAS)systems.

B. Single Instance Storage

Single instance storage is a technique for permitting users to storeonly a single copy of the same content unit within the storage system.For example, if a document is e-mailed to fifty different e-mailrecipients, each e-mail recipient may wish to archive the document onthe same storage system. However, storing fifty copies of the samedocument is an inefficient use of storage space. Thus, in a system thatperforms single-instance storage, a first of the fifty users would bepermitted to store the document. However, when the system receivessubsequent requests to store the document (e.g., from any of the other49 recipients of the document), the system may recognize that it alreadystores a copy of the document and may not store additional copies of thedocument in response to these user requests.

The use of content addresses as identifiers for content units in a CASstorage system may facilitate enforcing single instance storage. Thatis, as explained above, the content address for a content unit may becomputed by hashing all or a portion of the unit of content and usingthe resulting hash value as all or part of the content address. When arequest to store a content unit is received, the CAS system may performhashing on the content unit using a hash function (e.g., MD5 or anyother suitable hash function) to generate a hash value and may comparethat hash value to the hash values in the content addresses that the CASsystem already stores. If there is a match, then the CAS system maydetermine that it already stores a copy of the content unit that isrequested to be stored.

Some systems that enforce single instance storage of objects may stillcreate and store mirror copies of objects for backup and recoverypurposes. For example, when an object is stored on a system, the systemmay create a mirror copy of the object that is stored in a differentstorage location within the system. In this way, if one copy of theobject becomes unavailable, lost, or corrupted, the other copy may serveas a backup. However, when enforcing single instance storage, the systemdoes not create additional copies of an object in response to userrequests to store an object that is already stored on the storagesystem.

C. Distributed Storage Environments

In some embodiments, an OAS or CAS system may be implemented in adistributed storage environment. An example of a distributed storageenvironment 100 is shown in FIG. 1. Distributed storage environment 100includes a plurality access nodes 101 a-101 c and a plurality of storagenodes 103 a-103 e. Access nodes 101 may receive and respond to accessrequests from a host computer 105, and storage nodes 103 may store datasent to storage environment 100 by host computer 105. Access nodes 101and storage nodes 103 may be coupled by a network (not shown) andcommunicate over the network such that each node may make its presenceon the network known to the other nodes. In this manner, the nodes mayoperate together to process access requests and store data for hostcomputer 105.

Each node may include processing resources (e.g., processor and memory)and storage devices. The nodes communicate with each other to storedata, respond to access requests, and perform other environmentfunctions. To a user of the storage environment (e.g., the host computer105 or an application program executing thereon), the storageenvironment may appear as single entity. That is, the user need not beaware that the storage environment includes a plurality of separatenodes or on which storage node a certain unit of data is stored ormirrored.

To increase the storage capacity of the storage environment 100, morestorage nodes may be added and coupled to the network. These additionalstorage nodes may make their presence known on the network, thusallowing access nodes 101 to employ the additional storage in thestoring of data. Adding more storage nodes to the storage networkwithout increasing the number of access nodes may result in the accessnodes acting as a bottleneck for the storage environment and adegradation in performance. Thus, it may desirable when increasing thenumber of storage nodes to also increase the number of access nodes.

Storage environment 100 may perform a number of functions, such asdetermining on which storage node 103 to store data in response to awrite request from host 105, determining on which storage node 103 datais stored in response to a read request from host 105, performinggarbage collection of data that may be deleted from the storageenvironment, enforcing retention periods that specify a period of timethat data should not be deleted from the storage environment, mirroringdata (i.e., creating one or more mirror copies on different nodes of thestorage environment), self-healing to compensate for failure of one ormore nodes, and other functions. Such functions may be performed bystorage nodes, access nodes, or both, and performing such functions maycause network traffic between the nodes.

For example, to perform self-healing functions, other nodes may detectwhen a node fails. In response, the environment 100 may re-direct accessrequests to data stored on the failed node to other nodes that store amirrored copy of that data and may build another mirror for continuedfault tolerance. A node may broadcast keep-alive messages on the networkto indicate that it is operational and has not failed. If keep-alivemessages from that node are not received by other nodes, the other nodesmay determine that the node has failed. Adding more nodes to the storageenvironment causes more keep-alive messages to be transmitted on thenetwork and results in more network traffic.

As another example, the storage environment 100 may maintain an indexsuch as the blob location index (BLI), to aid in locating data. The BLImay specify on which storage node units of data are stored. Each accessor storage node in the network may be responsible for administering aportion of the BLI. Because the BLI may be distributed across the accessand/or storage nodes, maintaining and updating the BLI when units ofdata are written to or deleted from the storage environment causesnetwork traffic to be generated among nodes. Adding more nodes may causethe administration responsibilities of the BLI to be shared among agreater number of nodes, thus causing a greater amount of networktraffic to be generated.

Other functions, such as performing garbage collection, locating contenton the storage environment (e.g., via a broadcast message to all nodes),and re-ranging the BLI (i.e., when nodes are added or removed from thestorage environment), may cause a greater amount of network traffic asnodes are added to the storage environment. Such increased networktraffic may result in a decrease in performance of the storageenvironment.

D. Multi-Cluster Storage Environments

As discussed above, storage nodes 103 may be added to the storageenvironment to increase the storage capacity of the storage environment.Additionally, access nodes 101 may be added to counteract degradation inperformance caused by adding the additional storage nodes. However,because adding access nodes and storage nodes causes increased networktraffic, once a certain number of nodes in the storage environment isreached, the performance benefit gained by adding additional nodes isoffset at least somewhat by the increased network traffic generated bythe nodes in the storage environment, as well as the increased amount ofprocessing resources used in performing the infrastructure functions(such as those described above) that support the storage environment.Thus, as additional nodes are added to the storage environment toincrease storage capacity and/or performance, the overall performance ofthe storage environment may increase less than expected or desired, ormight in some cases even decrease. This performance impact is referencedbelow as performance degradation, which term is used herein to refer tonot only actual decreases in performance, but also the diminishingreturns in performance improvements achieved by the addition of anadditional storage resource, such as an access node or storage node.

In some embodiments, separate storage clusters may be arranged to worktogether to provide combined storage. For example, each of a pluralityof storage clusters in a storage environment may be implemented as aseparate OAS or CAS system. These storage clusters may be independent sothat the addition of an additional storage resource in one cluster doesnot cause the performance degradation issues discussed above for otherclusters. As used herein, the term storage cluster refers to a group ofone or more interconnected nodes that share at least one softwareutility that logically connects them. For example, the nodes of astorage cluster may share a self-healing software utility, such thatnodes in a cluster monitor keep-alive messages transmitted by othernodes in that cluster, but not by nodes outside the cluster. The nodesmay also share a common BLI so that the BLI of one storage cluster maybe independent of the BLI of any other storage cluster. The nodes of astorage cluster may also, or alternatively, share other utilities suchas a garbage collection utility and/or a data mirroring utility thatkeeps track of where data stored in the cluster is mirrored. In oneembodiment, each node in a cluster knows the address (e.g., an IPaddress) of every other node in the cluster, although the presentinvention is not limited in this respect.

Because nodes in a storage cluster do not share software utilities withnodes outside the cluster (e.g., in a different storage cluster), theinternal network traffic and use of processing resources of the nodeswithin one storage cluster does not affect the performance of any otherstorage cluster. Consequently, an additional storage cluster may beadded to a storage environment to increase storage capacity withoutexperiencing the above-described performance degradation issues.

It should be appreciated that the description of the types of softwareutilities that may be shared among nodes in a cluster (but not sharedamong nodes in different clusters) is provided merely for the purposesof illustration, and that the aspects of the present invention describedherein are not limited to use in a storage environment wherein the nodesin a storage cluster share the particular types of software utilitiesdiscussed above, or any other particular type of software utility.

In one embodiment of the invention, multiple storage clusters aremanaged in a manner that is transparent to users (e.g., host computersor application programs executing thereon) of the storage environment,so that users need not know on which storage cluster a particular unitof data is stored to access that unit of data. For example, as shown inFIG. 2, storage environment 201 may include storage clusters 203 a and203 b. Host computer 105 and/or application programs executing thereonneed not be aware the storage environment 201 comprises two independentstorage clusters, but rather may view storage environment 201 as asingle unified storage environment. Thus, application programs thatstore data to and retrieve data from the storage environment may treatthe multiple storage clusters as a single storage environment, withoutknowledge of on which cluster data written to the storage environment isstored. Thus, in one embodiment of the invention, when an applicationprogram (e.g., on a host) issues a write request for a unit of data tothe storage environment, it is determined on which storage cluster theunit of data is to be written, and when the application issues a readrequest, it is determined on which storage cluster the data is stored,both in a manner transparent to the application program.

There are variety of possible implementation techniques as to where theaspects of the computer system that determine on which storage clusterto store a unit of data and that retrieve a previously written unit ofdata from the appropriate cluster are practiced. Some examples ofpossibilities are described in U.S. patent application Ser. No.10/787,337, titled Methods And Apparatus For Increasing Data StorageCapacity, and filed on Feb. 26, 2004. This application is herebyincorporated by reference in its entirety.

E. Challenges Presented in Connection with Single Instance Storage in aMulti-Cluster CAS Distributed Storage Environment

Enforcing single instance storage between storage clusters in a storageenvironment that has multiple clusters presents challenges. For example,if one cluster in a storage environment receives a request to store acontent unit, that cluster may be able determine whether it alreadystores a copy of the content unit, but it may not have informationavailable to it to be able to determine whether that content unit isstored on any of the other clusters in the storage environment.

One possible technique for addressing this challenge is, each time arequest to store a content unit on a storage cluster in a multi-clusterstorage environment is received, to send an instruction to each storagecluster in the storage environment (either serially or in parallel) todetermine whether that storage cluster already stores a copy of thecontent unit. If any storage cluster in the storage environment alreadystores a copy of the content unit, a new copy of the content need not bestored in response to the read request. However, this technique may notbe desirable because it increases the amount of time taken and resourcesexpended to complete processing of a write request. That is, each a timea request to store a new content unit is received, each storage clusterin the storage environment must perform a search to determine whether itstores a copy of the content unit. This may be a time and resourceintensive process.

Not enforcing single instance storage and allowing users to storemultiple copies of the same content unit on different storage clustersmay also present challenges. For example, if a copy of a content unit isstored on two different clusters and each copy has the same identifier,one copy of the content unit may be modified and thus be inconsistentwith the other content unit. As a result, when a read request for thecontent unit is received in the storage environment, the content that isreturned to the user that initiated the request may be differentdepending on which storage cluster in the storage environment processedthe read request.

For example, as shown in FIG. 3, storage environment 301 may have twostorage clusters 303 a and 303 b. Each storage cluster may store a copyof the same content unit and that content unit may be assigned theobject identifier or content address “ABC.” Thus, as shown in FIG. 3,content unit 305 a is a first copy of the content unit identified by theidentifier “ABC,” and is stored on cluster 303 a. Content unit 305 b isa second copy of the content unit identified by the identifier “ABC” andis stored on cluster 303 b. However, the content of content unit 305 amay be modified so that it is different from the content of content unit305 b. If host computer 105 subsequently issues a read request 307 forcontent unit “ABC,” the content unit that is returned will be differentdepending on whether cluster 303 a processes the read request or cluster303 b processes the read request.

There are a number of possible ways in which two content units havingthe same content and the same identifier may be stored on differentclusters in the same storage environment. One example is shown in FIG.4. In FIG. 4, storage environment 401 is a CAS storage environment thatincludes cluster 403 a and cluster 403 b. Each of these clusters may beimplemented as a distributed CAS storage system. Host computer 407 mayissue a write request 409 to store Content A in the storage environment.Write request 409 may be processed by cluster 403 a. Cluster 403 a maystore Content A thereon and may generate a content address for Content Aby applying a hash function to the content address. In the example ofFIG. 4, the content address that is generated and used to identifyContent A is “XYZ.” Cluster 403 a may return an acknowledgment 411 tohost 407 that indicates that Content A was successfully stored and mayinclude the content address for Content A in the acknowledgment. Hostcomputer 405 may subsequently issue a write request 413 to store thesame content, Content A, in storage environment 401. However, writerequest 413 may be processed by cluster 403 b. Cluster 403 b may processthe write request, generate a content address for Content A, and returnacknowledgment 415 to host 405 that indicates the content address forContent A. Because cluster 403 b uses the same hashing algorithm togenerate the content address for Content A that was used by cluster 403a, it generates the same content address (i.e., “XYZ”) for Content Athat was generated by cluster 403 a. Consequently, a copy of Content Ais stored on both cluster 1 and cluster 2, and each copy is identifiedusing the same identifier

Another possible way in which two content units having the same contentand the same identifier may be stored on different clusters in the samestorage environment is if two clusters that were initially configured asa replication pair are reconfigured as co-clusters in a storageenvironment. A replication pair is a pair of storage clusters in whichone cluster serves as a primary cluster and the other storage clusterserves as a backup cluster to the primary cluster. Content units storedon the primary cluster are replicated to the backup cluster. In thisway, if a content unit becomes lost or corrupted on the primary clusteror the primary cluster fails, its content may be recovered from thebackup cluster. Because the backup cluster stores copies of the contentunits stored on the primary cluster, if the primary cluster and backupcluster are reconfigured so that they are no longer a replica pair butrather are co-clusters in a storage environment, these two clusters maystore copies of the same content units that are identified by the sameidentifier.

A third possible way in which two content units having the same contentand the same identifier may be stored on different clusters in the samestorage environment is if a restore operation is run between twoclusters in a storage environment. This may occur, for example, if asystem administrator accidentally runs the restore operation, orintentionally runs the restore operation without fully appreciating theconsequences. A restore operation is an operation that is used torecover, from a backup cluster, content units that were stored on aprimary cluster that have become lost (e.g., due to hardware failure onthe cluster or some other reason) or corrupted. The restore operationcopies content units from the backup cluster to a different cluster. Ifa restore operation is run between two clusters in the storageenvironment, content units stored on one cluster may be copied to theother cluster, resulting in identical copies of content units that havethe same identifier being stored on different clusters in the storageenvironment.

When two or more copies of the same content unit that have the sameidentifier are stored on different clusters in a storage environment,the content of these copies may become inconsistent with each other in anumber of possible ways.

For example, many storage systems allow users to modify previouslystored content. For example, if it is desired to modify the content of acontent unit, a write request to write to the content may be sent to andprocessed by the storage system. In a multi-cluster storage environment,if two copies of a content unit are stored on two different storageclusters in the storage environment, and a user request to modify thecontent unit is processed by only one cluster, the two copies of thecontent unit may become inconsistent. As a result, if a usersubsequently issues a read request for the content unit, the contentthat the user receives in response to the request depends on whichcluster processes the read request.

Some storage systems do not allow users to modify previously-storedcontent units. That is, once a content unit is stored on the storagesystem, users are not permitted to modify its content. Such contentsystems are sometimes referred to as archive storage systems or fixedcontent storage systems.

Even in storage systems that do not permit a content unit to be modifiedonce it has been stored, it is possible that the content of twodifferent copies of the same content unit stored on different clustersmay become inconsistent.

One way in which this may occur is in a CAS storage environment in whicha blob/CDF architecture is used. A unit of data in the architecturedefined in the CAS applications is referred to as a blob. A blob may be,for example, the binary data created by a user or an application programto be stored on a storage system, such as, for example, a patient x-ray,company financial records, a digital image, or any other type of data.When a blob is stored to a CAS system, a content address is generatedfor the blob based upon its content in the manner discussed above.

Each blob may have at least one content descriptor file (CDF) associatedwith it. For example, FIG. 5 shows a blob/CDF pair comprising a CDF 501and a blob 503. CDF 501 may include metadata 505 and a plurality ofreferences 507 a, 507 b, . . . , 507 n. A CDF may reference one or moreblobs or CDFs. Thus, the references 507 may be, for example, referencesto the blobs and/or CDFs referenced by CDF 501. As shown in FIG. 5,reference 507 a is a reference to blob 503. Metadata 505 may, forexample, include the creation date of CDF 501 (e.g., the date that CDF501 was initially stored), a description of the content of blob 503,other metadata pertaining to the content of blob 503, or any othersuitable metadata.

Like blob 503, a content address that serves as the identifier for CDF501 may be generated by hashing CDF 501. In this respect, CDF 501 mayhave a binding portion and a non-binding portion. A binding portion of acontent unit is a portion that contributes to the content address forthe content unit, and a non-binding portion is a portion that does notcontribute to the content address for the content unit. Thus, forexample, the content in the binding portion of the content unit ishashed to generate the content address, whereas the content in thenon-binding portion is not hashed. For example, as shown in FIG. 5, CDF501 has a binding portion 509 and a non-binding portion 511 whichincludes non-binding content 511. The content of the binding portion isinput to the hashing function used to generate the content address forCDF 501, while the content of the non-binding portion is not input intothe hashing function.

Because non-binding content 513 is not used in generating the contentaddress for CDF 501, altering the content of non-binding content 513does not change the content address for CDF 501.

A variety of types of mutable information may be stored in thenon-binding portion of a CDF. For example, in FIG. 5, non-bindingcontent 513 may include information indicating whether a litigation holdhas been put on the content units referenced by references 507 of CDF501. A litigation hold indicates that the content of the content unitsreferenced by CDF 501 are relevant to an ongoing or anticipatedlitigation and, as such, CDF 501 and the content units it referencescannot be deleted until the litigation hold is removed. Thus,non-binding content 513 may be altered by changing the informationindicating whether a litigation hold is in place.

Another example of mutable information that may be included innon-binding content 513 is information indicating whether an event thattriggers an event-based retention period has occurred. A retentionperiod is a period during which a content unit cannot be deleted.Metadata 505 may store a retention period for CDF 501 and the contentunits that it references. In some situations, the length of theretention period depends on the time of occurrence of some event. Forexample, a hospital may have a policy that a patient's medical recordsare to remain stored for a minimum of five years from the patient'sdeath. Thus, metadata 505 may store the length of the retention period(e.g., five years from patient's death), and non-binding content 513 maystore information indicating whether the event upon which the length ofthe retention period is based has occurred and/or the time at which thatevent occurred. Thus, when the event occurs, information stored innon-binding content 513 may be updated to indicate that the event hasoccurred and/or the time at which the event occurred. This informationmay be used to determine when the retention period expires.

Any other type of mutable information may be stored in non-bindingcontent such as, for example, pointers to other related content unitsthat are stored on the CAS system.

In a multi-cluster CAS storage environment that employ a blob/CDFarchitecture, if two copies of a CDF are stored on different clusters inthe storage environment, these two copies may be identified by the samecontent address, as the binding (and non-mutable) portions of these twocopies are identical. If the non-binding content of one of these twoCDFs changes (e.g., due to a change in litigation hold status or theoccurrence of an event associated with an event based retention policy),the non-binding content of each of these two CDFs may be different, eventhough the content address for each of these two CDFs remains the same.Consequently, determining which copy of the CDF is the valid copy andwhich copy is invalid may present challenges.

Some embodiments described below are directed to addressing theabove-discussed problems arising from multiple content units withdifferent content but having the same identifier being stored ondifferent storage clusters in a multi-cluster storage system. However,the invention is not limited to addressing any or all of theabove-discussed problems. That is, while some embodiments describedbelow may address some or all of these problems, some embodiments maynot address any of these problems.

II. Techniques for Addressing Inconsistency in Content Units

A. Content Unit Deletion

In some embodiments, when two or more copies of a content unit havingidentical content and the same identifier are identified as being storedon different storage clusters in a multi-clustered storage environment,the duplicate copy or copies may be deleted such that the content unitis stored on only one storage cluster in the storage environment.

For example, when a user request to modify a content unit is received orwhen an operation that modifies the content of a content unit is to beperformed, a search may be performed to determine whether there aremultiple copies of the content unit stored on different clusters in thestorage environment. If there are copies of the content unit stored ondifferent clusters, the copy on one cluster may be modified and thecopies on the other clusters may be deleted. In this way, there are noinconsistent copies of the content unit stored on other clusters in thestorage environment.

The inventors have recognized that while this approach reduces thelikelihood that multiple inconsistent content units having the sameidentifier are stored on different clusters in a storage environment,this approach may not be suitable for some storage environments. Thatis, some storage environments may enforce a retention policy that doesnot permit the deletion of content units or requires that content unitsbe retained at least for some minimum period of time. Such policies maybe implemented, for example, to comply with legal requirements relatedto the storage of certain types of data. Thus, even if the content oftwo duplicate content units becomes inconsistent, the retention policyof the storage environment may not permit deletion of one of thosecontent units.

B. Parallel Modification Of Content Units

In some embodiments, when two or more copies of a content unit havingidentical content and the same identifier are identified as being storedon different storage clusters in a multi-clustered storage environment,the content of each copy may be modified in parallel such that thecontent of each content unit stays consistent.

For example, when a user request to modify a content unit is received orwhen an operation that modifies the content of a content unit is to beperformed, a search may be performed to determine whether there aremultiple copies of the content unit stored on different clusters in thestorage environment. If there are copies on different clusters, themodification to the content may be performed on each copy. In thismanner, a content unit stored on one cluster may be consistent withcopies of the content unit stored on other clusters.

The inventors have recognized that while this approach reduces thelikelihood that multiple inconsistent content units having the sameidentifier are stored on different clusters in a storage environment,situations may still arise in which such copies may be stored ondifferent clusters in a storage environment. For example, if two copiesof a content unit are stored on two different clusters in a storageenvironment, and an operation to modify the content of the content unitis to be performed, a situation may arise in which one cluster is down(e.g., due to a hardware or other type of failure) at the time theoperation to modify the content is to be performed. As such, it cannotbe determined whether the failed cluster stores a copy of the contentunit to be modified. Consequently, the operation to modify the contentunit may be performed on the copy stored on one cluster, but not on thecopy stored on the failed cluster. If the failed cluster later comesback online, the copy stored on this cluster will be different from andinconsistent with the copy that was modified.

C. Marking Content Units

In some embodiments, when two or more copies of a content unit havingidentical content and the same identifier are identified as being storedon different storage clusters in a multi-clustered storage environment,one cluster may be deemed as storing the valid copy and the othercluster(s) may be deemed as storing the invalid copy or copies.Information may be stored in the invalid copy or copies of the contentunit that identifies or “marks” these copies as being invalid.

For example, when a request to modify a content unit is received or anoperation that modifies the content of a content unit is to beperformed, it may be determined whether multiple copies of the contentunit are stored on different clusters. If multiple copies are stored ondifferent clusters, one copy may deemed to be the valid copy and theother copy or copies may be deemed to be invalid copies. Themodification operation may be performed on the valid copy and theinvalid copies may be modified to include information identifying ormarking these copies as being invalid. As such, when a subsequentrequest to read the content unit is received, each cluster may determinewhether it stores a copy of the content unit, and each cluster thatstores a copy of the content unit may determine whether its copy of thecontent unit is valid by determining whether the content unit includesinformation identifying it as invalid. The valid copy of the contentunit may be returned in response to the read request. Similarly, when asubsequent request to modify a content unit is received, each clustermay determine whether it stores a copy of the content unit, and eachcluster that stores a copy of the content unit may determine whether itscopy of the content unit is valid. The valid copy of the content unitmay be modified, while the invalid copies are not updated.

FIG. 6 shows an illustrative process that may be used in someembodiments to modify a content unit in a multi-cluster storageenvironment and to identify the valid copy of such a content unit whenmultiple copies exist.

The process begins at act 601, where an operation to modify a contentunit is initiated. The process next continues to act 603, where a searchfor the content unit to be modified is performed one each cluster. Theprocess then continues to act 605, where it is determined, based on thesearches in act 603, whether the content unit to be modified is storedon multiple clusters. If the content unit is not stored on multipleclusters, then the one storage cluster that stores the content unit isdeemed to store the valid copy and the process continues to act 607,where the cluster that stores the content unit performs the modificationoperation on the content unit.

If, at act 605, it is determined that the content unit is stored onmultiple clusters, the process continues to act 609, where any copies ofthe content unit that include information marking those content units asinvalid are disregarded. The process next continues to act 611, where itis determined whether there are multiple copies of the content unit thatare not marked as invalid stored on more than one cluster. If it isdetermined that there are not, the process continues to act 607, wherethe cluster that stores the sole valid copy of the content unit performsthe modification operation on that content unit. If, at act 611, it isdetermined that there are multiple copies of content units that are notmarked as invalid, the process continues to act 613 where information isstored in all but one of these content units that indicates or marks thecontent unit as being invalid. In this way, one cluster is selected asstoring the valid copy of the content unit, and the other clusters aredeemed to store invalid copies. The selection of the cluster that storesthe valid copy may be made in any of a variety of ways. For example, thecluster on which the content unit was most recently stored may beselected as storing the valid copy or the cluster that has the mostavailable storage capacity may be selected as storing the valid copy.Any other suitable criterion or criteria may be used to select a clusteras storing the valid copy, as the invention is not limited in thisrespect. After act 613, the process continues to act 607, where thecluster that stores the valid copy of the content unit performs themodification operation on the content unit.

FIG. 7 shows an illustrative process that may be used in someembodiments to read a content unit in a multi-cluster storageenvironment and to identify the valid copy of such a content unit whenmultiple copies exist.

The process begins at act 701, where a request to read a content unit isreceived. Such a request may be received from, for example, a hostcomputer or an application program executing on a host computer.

The process next continues to act 703, where a search for the contentunit to be read is performed one each cluster. The process thencontinues to act 705, where it is determined, based on the searches inact 703, whether the content unit to be read is stored on multipleclusters. If the content unit is not stored on multiple clusters, thenthe one storage cluster that stores the content unit is deemed to storethe valid copy and the process continues to act 707, where the contentunit is returned from the cluster that stores it.

If, at act 705, it is determined that the content unit is stored onmultiple clusters, the process continues to act 709, where any copies ofthe content unit that include information marking those content units asinvalid are disregarded. The process next continues to act 711, where itis determined whether there are multiple copies of the content unit thatare not marked as invalid stored on more than one cluster. If it isdetermined that there are not, the process continues to act 707, wherethe sole valid copy of the content unit is returned in response to theread request received in act 701. If, at act 711, it is determined thatthere are multiple copies of content units that are not marked asinvalid, the process continues to act 713 where information is stored inall but one of these content units that indicates or marks the contentunit as being invalid. In this way, one cluster is selected as storingthe valid copy of the content unit, and the other clusters are deemed tostore invalid copies. The selection of the cluster that stores the validcopy may be made in any of a variety of ways. For example, the clusteron which the content unit was most recently stored may be selected asstoring the valid copy or the cluster that has the most availablestorage capacity may be selected as storing the valid copy. Any othersuitable criterion or criteria may be used to select a cluster asstoring the valid copy, as the invention is not limited in this respect.After act 713, the process continues to act 707, where the content unitis returned from the cluster that stores it.

D. New Content Unit Creation

In some embodiments, when two or more copies of a content unit havingidentical content and the same identifier are identified as being storedon different storage clusters in a multi-clustered storage environment,a new content unit, referred to herein as a status content unit, may becreated. Information may be stored in the status content unit thatindicates that there are multiple copies of the content unit stored ondifferent clusters, and may indicate which copy is the valid, on whichcluster the valid copy is stored, which copy or copies are invalid andon which cluster(s) the invalid copy or copies is stored.

For example, when a request to modify a content unit is received or anoperation that modifies the content of a content unit is to beperformed, it may be determined whether multiple copies of the contentunit are stored on different clusters. If multiple copies are stored ondifferent clusters, one copy may deemed to be the valid copy and theother copy or copies may be deemed to be invalid copies. Themodification operation may be performed on the valid copy and a statuscontent unit may be stored on each cluster that stores a copy of thecontent unit indicating where each copy of the content unit is storedand which copy is the valid copy. As such, when a subsequent request toread the content unit is received, each cluster may determine whether itstores a copy of the content unit, and each cluster that stores a copyof the content unit may determine whether its copy of the content unitis valid by locating the status content unit and analyzing theinformation stored therein. The valid copy of the content unit may bereturned in response to the read request. Similarly, when a subsequentrequest to modify a content unit is received, each cluster may determinewhether it stores a copy of the content unit, and each cluster thatstores a copy of the content unit may determine whether its copy of thecontent unit is valid by locating the status content unit and analyzingthe information stored therein. The valid copy of the content unit maybe modified, while the invalid copies are not updated.

FIG. 8 shows an illustrative process that may be used in someembodiments to modify a content unit in a multi-cluster storageenvironment and to identify the valid copy of such a content unit whenmultiple copies exist. The process begins at act 801, where an operationto modify a content unit is initiated. The process next continues to act803, where a search for the content unit to be modified is performed oneeach cluster. The process then continues to act 805, where it isdetermined, based on the searches in act 803, whether the content unitto be modified is stored on multiple clusters. If the content unit isnot stored on multiple clusters, then the one copy of the content unitthat exists in the storage environment is deemed to be the valid copyand the process continues to act 807, where the cluster that stores thecontent unit performs the modification operation on the content unit.

If, at act 805, it is determined that the content unit is stored onmultiple clusters, the process continues to act 809, where a search fora status content unit associated with the content unit is performed oneach cluster that stores a copy of the content unit. The process nextcontinues to act 811, where it is determined whether a status contentunit associated with the content unit to be modified is stored on eachcluster that stores a copy of the content unit to be modified. If it isdetermined that such a status content unit is stored on each clusterthat stores a copy of the content unit, the process continues to act813, where the information in these status content units is used todetermine which copy is the valid copy. The process then continues toact 807, where the modification operation is performed on the valid copyof the content unit.

If, at act 811, it is determined that each cluster that stores a copy ofthe content unit to be modified does not store a status content unitassociated with that content unit, the process continues to act 815,where it is determined if a status content unit was located thatidentifies which copy of the content unit to be modified is the validcopy. If it is determined that such a status content unit was located,the process continues to act 817, where a status content unit is createdand stored on each cluster that stores the content unit but does notstore a status content unit for the content unit. The status contentunit may indicate on which cluster the valid copy of the content unit isstored and/or on which cluster(s) the invalid copy or copies of thecontent unit is/are stored. The process then continues to act 807, wherethe modification operation is performed on the valid copy of the contentunit.

If, at act 815, it is determined that no status content unit was locatedthat identifies which copy of the content unit to be modified is thevalid copy, the process continues to act 819, where one cluster isselected as storing the valid copy. This selection may be made in any ofa variety of ways. For example, the cluster on which the content unitwas most recently stored may be selected as storing the valid copy orthe cluster that has the most available storage capacity may be selectedas storing the valid copy. Any other suitable criterion to select acluster as storing the valid copy may be employed, as the invention isnot limited in this respect. Once one cluster is selected as storing thevalid copy, the process continues to act 817, where a status contentunit is created and stored on each cluster that stores the content unitbut does not store a status content unit for the content unit. Thestatus content unit may indicate on which cluster the valid copy of thecontent unit is stored and/or on which cluster(s) the invalid copy orcopies of the content unit is/are stored. The process then continues toact 807, where the modification operation is performed on the valid copyof the content unit.

FIG. 9 shows an illustrative process that may be used in someembodiments to read a content unit in a multi-cluster storageenvironment and to identify the valid copy of such a content unit whenmultiple copies exist.

The process begins at act 901, where a request to read a content unit isreceived in the storage environment. Such a request may be receivedfrom, for example, a host computer or an application program executingon a host computer.

The process next continues to act 903, where a search for the contentunit to be read is performed one each cluster. The process thencontinues to act 905, where it is determined, based on the searches inact 903, whether the content unit to be read is stored on multipleclusters. If the content unit is not stored on multiple clusters, thenthe process continues to act 907, where the content unit is read fromthe one cluster in the storage environment that stores it, and thecontent unit is returned to the requesting entity in response to therequest.

If, at act 905, it is determined that the content unit is stored onmultiple clusters, the process continues to act 909, where a search fora status content unit associated with the content unit is performed oneach cluster that stores a copy of the content unit. The process nextcontinues to act 911, where it is determined whether a status contentunit associated with the content unit to be read is stored on eachcluster that stores a copy of the content unit to be read. If it isdetermined that such a status content unit is stored on each clusterthat stores a copy of the content unit, the process continues to act913, where the information in these status content units is used todetermine which copy is the valid copy. The process then continues toact 907, where the valid copy of the content unit is read from thecluster that stores it, and the content unit is returned to therequesting entity in response to the request.

If, at act 911, it is determined that each cluster that stores a copy ofthe content unit to be read does not store a status content unitassociated with that content unit, the process continues to act 915,where it is determined if a status content unit was located thatidentifies which copy of the content unit to be read is the valid copy.If it is determined that such a status content unit was located, theprocess continues to act 917, where a status content unit is created andstored on each cluster that stores the content unit but does not store astatus content unit for the content unit. The status content unit mayindicate on which cluster the valid copy of the content unit is storedand/or on which cluster(s) the invalid copy or copies of the contentunit is/are stored. The process then continues to act 907, where thevalid copy of the content unit is returned from the cluster that storesit to the requesting entity in response to the request.

If, at act 915, it is determined that no status content unit was locatedthat identifies which copy of the content unit to be read is the validcopy, the process continues to act 919, where one cluster is selected asstoring the valid copy. This selection may be made in any of a varietyof ways. For example, the cluster on which the content unit was mostrecently stored may be selected as storing the valid copy or the clusterthat has the most available storage capacity may be selected as storingthe valid copy. Any other suitable criterion to select a cluster asstoring the valid copy, as the invention is not limited in this respect.Once one cluster is selected as storing the valid copy, the processcontinues to act 917, where a status content unit is created and storedon each cluster that stores the content unit but does not store a statuscontent unit for the content unit. The status content unit may indicateon which cluster the valid copy of the content unit is stored and/or onwhich cluster(s) the invalid copy or copies of the content unit is/arestored. The process then continues to act 907, where the valid copy ofthe content unit is returned from the cluster that stores it to therequesting entity in response to the request.

E. Write Timestamp Update

In some embodiments, when a cluster in a multi-cluster storageenvironment receives a request to read a content unit, it may return therequested content unit and additional information pertinent to therequested content unit. For example, the storage cluster may store,external to the content unit, metadata about the content unit. Suchinformation may include, for example, information indicating the time atwhich the content unit was initially stored in the cluster. This timemay be different from the time of creation of the content unit becausethe content unit may have been created outside of the cluster and movedinto the cluster after its initial time of creation. The informationindicating the time at which the content unit was initially stored inthe cluster in which it is stored is referred to herein as the “writetimestamp” for the content unit.

As indicated above, a cluster may store the write timestamp for acontent unit external to the content unit, such that the write timestampis not part of the content of the content unit. The write timestamp maybe stored and associated with its content unit in any of numerouspossible ways. For example, as shown in FIG. 10, in some embodiments,the write timestamp may be stored in a relational database table andassociated with its content unit via the object identifier for thecontent unit. FIG. 10 shows an illustrative database table 1000 thatstores the write timestamps for three different content units stored ona storage cluster. As shown in FIG. 10, database table 1000 includesthree records 1005 a, 1005 b, and 1005 c. Each record includes a twofields. Field 1003 is used to store the write timestamp for a contentunit. Field 1001 is used to indicate the object identifier of thecontent unit with which the write timestamp is associated. In theexample of FIG. 10, each record in table 1000 has only two fields.However, the number of fields in table 1000 is provided only forillustrative purposes, as the database table that stores the writetimestamps for content units may include any suitable number of fields.In some embodiments, when a storage cluster receives a request to read acontent unit (e.g., a request issued by a host computer and/orapplication program), the storage cluster may access the write timestampfor the content unit and return the write timestamp in response to therequest.

In situations, when two or more copies of a content unit havingidentical content and the same identifier are identified as being storedon different storage clusters in a multi-clustered storage environment,each cluster may store a different write timestamp for the content unitbecause the times of storage of the content unit on the clusters in thestorage environment may be different.

The inventor has appreciated that the write timestamp for a content unitmay be used to indicate whether a cluster's copy of the content unit isa valid copy or an invalid copy. For example, in some embodiments, whena request to modify a content unit is received or a write operation isto be performed on the content unit, it may be determined whethermultiple copies of the content unit are stored on different clusters. Ifmultiple copies are stored on different clusters, one copy may deemed tobe the valid copy and the other copy or copies may be deemed to beinvalid copies. The modification operation may be performed on the validcopy and the write timestamps for the invalid copies may be set to avalue that indicates that those copies are invalid. Any suitable valuemay be used to indicate that the content unit is invalid, as there arenumerous possibilities of values to be used. For example, the binaryrepresentation of the write timestamp value may be set to all zeros orall ones to indicate that the associated content unit is invalid. Asanother example, the write timestamp may be set to a value indicative ofa time that is so far in the future or so far in the past (e.g., amillion years in the future or a million years in the past) that nowrite timestamps for valid content units will have that value. As usedherein, the term invalid value refers to any write timestamp value thatindicates that the copy of the content unit for that value is an invalidcopy.

When a subsequent request to read the content unit is received, eachcluster may determine whether it stores a copy of the content unit, andeach cluster that stores a copy of the content unit may determinewhether its copy of the content unit is valid by analyzing the writetimestamp for the content unit.

The inventors have recognized that this approach provides the benefitthat, because the write timestamps for content units are stored on thestorage cluster and returned in response to read requests for thosecontent units, repurposing the write timestamp to indicate whether acontent unit is invalid does not necessitate using additional storagespace. Moreover, because storage clusters may be configured to returnthe write timestamp for a content unit in response to a read request forthe content unit, accessing the write timestamp to determine whether acopy of the content unit is invalid does not impose a significantadditional processing burden or latency in responding to a read requestfor the content unit.

FIG. 11 shows an illustrative process that may be used in someembodiments to modify a content unit in a multi-cluster storageenvironment and to identify the valid copy of such a content unit whenmultiple copies exist.

The process begins at act 1101, where an operation to modify a contentunit is initiated. The process next continues to act 1103, where asearch for the content unit to be modified is performed one eachcluster. This may be done by issuing a read request for each contentunit to each cluster. In this way, each cluster that stores a copy ofthe content unit may return its copy, along with the associated writetimestamp for the copy. The process then continues to act 1105, where itis determined, based on the searches in act 1103, whether the contentunit to be modified is stored on multiple clusters. If the content unitis not stored on multiple clusters, then the one storage cluster thatstores the content unit is deemed to store the valid copy and theprocess continues to act 1107, where the cluster that stores the contentunit performs the modification operation on the content unit.

If, at act 1105, it is determined that the content unit is stored onmultiple clusters, the process continues to act 1109, where any copiesof the content unit whose associated write timestamp has an invalidvalue is disregarded. The process next continues to act 1111, where itis determined whether there are multiple copies of the content unitstored on more than one cluster that do not have an invalid writetimestamp value. If it is determined that there are not, the processcontinues to act 1107, where the cluster that stores the sole valid copyof the content unit performs the modification operation on that contentunit. If, at act 1111, it is determined that there are multiple copiesof content units whose write timestamp values are not invalid, theprocess continues to act 1113 where the write timestamp of all but oneof these copies is set to the invalid value. In this way, one cluster isselected as storing the valid copy of the content unit, and the otherclusters are deemed to store invalid copies. The selection of thecluster that stores the valid copy may be made in any of a variety ofways. For example, the cluster on which the content unit was mostrecently stored may be selected as storing the valid copy or the clusterthat has the most available storage capacity may be selected as storingthe valid copy. Any other suitable criterion or criteria may be used toselect a cluster as storing the valid copy, as the invention is notlimited in this respect. After act 1113, the process continues to act1107, where the cluster that stores the valid copy of the content unitperforms the modification operation on the content unit.

FIG. 12 shows an illustrative process that may be used in someembodiments to read a content unit in a multi-cluster storageenvironment and to identify the valid copy of such a content unit whenmultiple copies exist.

The process begins at act 1201, where a request to read a content unitis received. Such a request may be received from, for example, a hostcomputer or an application program executing on a host computer.

The process next continues to act 1203, where a search for the contentunit to be read is performed one each cluster. This may be accomplished,for example, by sending a read request to each cluster in the storageenvironment. In this way, each cluster that stores a copy of the contentunit may return its copy along with the write timestamp associated withthe copy.

The process then continues to act 1205, where it is determined, based onthe searches in act 1203, whether the content unit to be read is storedon multiple clusters. If the content unit is not stored on multipleclusters, then the one storage cluster that stores the content unit isdeemed to store the valid copy and the process continues to act 1207,where the content unit is returned from the cluster that stores it.

If, at act 1205, it is determined that the content unit is stored onmultiple clusters, the process continues to act 1209, where any copiesof the content unit with a write timestamp having an invalid value aredisregarded. The process next continues to act 1211, where it isdetermined whether there are multiple copies of the content unit storedon more than one cluster whose write timestamp values are not invalid.If it is determined that there are not, the process continues to act1207, where the sole valid copy of the content unit is returned inresponse to the read request in act 1201. If, at act 1211, it isdetermined that there are multiple copies of content units with a validwrite timestamp value, the process continues to act 1213 where the writetimestamp for all but one of the copies of the content unit is updatedto the invalid value. In this way, one cluster is selected as storingthe valid copy of the content unit, and the other clusters are deemed tostore invalid copies. The selection of the cluster that stores the validcopy may be made in any of a variety of ways. For example, the clusteron which the content unit was most recently stored may be selected asstoring the valid copy or the cluster that has the most availablestorage capacity may be selected as storing the valid copy. Any othersuitable criterion or criteria may be used to select a cluster asstoring the valid copy, as the invention is not limited in this respect.After act 1113, the process continues to act 1107, where the valid copyof the content unit is returned in response to the read request in act1201.

The above-described techniques for using write timestamp values toindicate whether a cluster's copy of the content unit is a valid copy oran invalid copy provide the benefit of an unambiguous answer as to whichcopy is the valid copy and which copy is invalid. Thus, for example,using this technique, each time a content unit that is stored on twodifferent clusters of a federation is read, the same copy of the contentunit would be identified as being the valid copy and the other copy orcopies would be identified as being invalid. This is because, if thewrite timestamps for all but one of the copies are set to the invalidvalue, each read request for the content unit would result in the one ofthe copies with the valid write timestamp value being identified as thevalid copy. In cases where there are multiple copies of a content unitstored on different clusters of a federation and more than one have avalid write timestamp value, the same content unit would be identifiedas the valid copy each time a read request for the content unit isreceived, because each user uses the same algorithm to determine, basedat least in part on the value of the write timestamp, which copy ofmultiple copies that have a valid write timestamp value is the validone. Thus, for example, if two users were to simultaneously issuerequests for the content unit, each user would identify the same copy ofthe content unit as being the valid one because each user would applythe same algorithm, based at least in part on the write timestamp valuesof the multiple copies, to determine which copy is valid.

III. Replication

As discussed above, in some situations it may be desired to replicatecontent units stored in a primary storage environment to a secondarybackup storage environment, so that if a failure occurs that causescontent units stored on the primary storage environment to become lost,corrupted, or temporarily unavailable, the content units may berecovered from the backup storage environment.

The inventor has appreciated that, when replicating content units from aprimary multi-cluster storage environment to a backup multi-clusterstorage environment, situations may arise in which inconsistent copiesof a content unit having the same identifier are stored on differentstorage clusters in the backup storage environment. For example, FIG. 13shows a primary storage environment 1301 having clusters 1303 a and 1303b and a backup storage environment 1305 having storage clusters 1307 aand 1307 b. In the example of FIG. 13, storage cluster 1303 a stores acontent unit 1309, which is replicated to cluster 1311 at time T1 and isreplicated to cluster 1307 b at a later time T2. If the content ofcontent unit 1309 were modified in between time T1 and time T2 (e.g., inany of the manners discussed above) the content of content units 1311and 1313 may be inconsistent. Thus, if it is ever desired to restore thecontent unit from the backup storage environment (e.g., if cluster 1303a experiences a failure), determining which copy of the content unit isthe valid one and/or which copy to restore to the primary storageenvironment may present challenges.

Another situation in which inconsistent copies of a content unit may bestored on different storage clusters in a backup storage environment isif a content unit on a first cluster in the primary storage environmentis replicated to a first cluster in a backup storage environment. If thecontent unit in the primary storage environment is subsequently moved toa second cluster in the primary storage environment, this second clustermay be unaware that the content unit has already been replicated to thebackup storage environment and may replicate the content unit to asecond cluster in the backup storage environment. If the content of thecontent unit was modified in between the two replications, then thereplica copies of the content unit stored on the first and secondclusters of the backup storage environment may be inconsistent.

One technique for reducing the likelihood that inconsistent copies of acontent unit having the same identifier may be replicated to differentstorage clusters in a backup storage environment is to, prior toreplicating the content unit, perform a search for the content unit oneach cluster in the backup storage environment to determine whether oneof these clusters already stores the content unit. If so, then thecontent unit may be replicated to the cluster that already stores it, sothat it replaces the previously-replicated copy of the content unit onthat cluster. The inventor has recognized that this technique involvesinefficiencies in that, in order to replicate a content unit, a searchfor the content unit is performed on each cluster in the backup storageenvironment. Performing this global search increases the latency inreplicating a content unit and consumes processing resources on theclusters in the backup storage environment.

Thus, in some embodiments, the primary storage environment may beconfigured to apply a standard replication policy that specifies towhich cluster in a backup storage environment a content unit is to bereplicated based on some unchanging attribute of the content unit. Forexample, the replication policy may specify to which cluster a contentunit is to be replicated based on the object identifier of the contentunit. As one possible example, if the backup storage environment has twoclusters, the replication policy may specify that content units witheven object identifiers (i.e., object identifiers whose binary value isan even value) are replicated to cluster 1 in the backup storageenvironment and content units with odd object identifiers (i.e., objectidentifiers whose binary value is an odd value) are replicated tocluster 2 in the backup storage environment. In this way, a globallookup need not be performed to determine to whether and to whichstorage cluster a content unit has been replicated, as this may bedetermined using the storage policy.

The inventor has recognized that, in some situations, such a replicationpolicy may be put in place after a storage environment has been in usefor some period of time and has replicated some content units to abackup storage environment. In such situations, a global lookup may beperformed for content units created before the replication policy wasput in place, and the replication policy may be applied to determinewhere content units created after the replication policy was put inplace would have been replicated.

FIG. 14 shows a flow chart of a process that may be performed by acluster in a primary storage environment to replicate a content unit toa backup storage environment that that cluster has not previouslyreplicated to the backup storage environment. The process begins at act1401, where a content unit that is to be replicated is retrieved. Theprocess next continues to act 1403, where the time of creation of thecontent unit to be replicated is determined. The time of creation of thecontent unit may be determined in any suitable way. For example, thetime of creation may be stored in the content of the content unit or maybe stored externally, as metadata associated with the content unit. Inthis respect, it should be appreciated that the creation time of thecontent unit is different from the above-discussed write timestamp. Thatis, the creation time of the content unit indicates the time at whichthe content unit was initially created, whereas the write timestamp forthe content unit indicates the time at which the content unit was firststored in the storage cluster in which it is stored.

Once the creation time of the content unit is determined, the processcontinues to act 1405, where it is determined whether the content unitwas created before the replication policy was instituted. If it isdetermined that the content unit was created after the replicationpolicy was instituted, then the process continues to act 1409, where thecontent unit is replicated to the storage cluster in the backup storageenvironment specified by the replication policy. In this way, if anothercluster in the primary storage environment has already replicated thecontent unit to the backup storage environment, then the replicationperformed at act 1409 will cause the previously-replicated content unitto be replaced with the content unit to be replicated.

If, at act 1405, it is determined that the content unit to be replicatedwas created before the replication policy was instituted, the processcontinues to act 1407, where a search for the content unit is performedon each cluster in the backup storage environment. The process nextcontinues to act 1411, where it is determined if the content unit wasfound on any of the clusters in the backup storage environment. If thecontent unit was found on one of the storage clusters, the processcontinues to act 1413, where the content unit to be replicated isreplicated to the storage cluster that already stores the content unit(i.e., such that the previously-stored copy is replaced). If the contentunit was not found on any of the clusters in the backup storageenvironment, the process continues to act 1415, where one cluster isselected to store the replicated content unit and the content unit isreplicated to that cluster.

The inventors have recognized that, after a cluster has replicated acontent unit, the content of the content unit may be modified (e.g., inany of the ways discussed above). When a content unit that has beenreplicated is modified, it may be desired to replace thepreviously-stored content unit with the modified content unit on thebackup storage environment. Thus, FIG. 15 shows a flow chart of aprocess that may be performed by a cluster in a primary storageenvironment to replicate a previously-replicated content unit to abackup storage environment after the content of the content unit hasbeen modified. The process begins at act 1501, where a content unit thathas been modified and is to be replicated is retrieved. The process nextcontinues to act 1503, where the time of creation of the content unit tobe replicated is determined. The time of creation of the content unitmay be determined in any suitable way. For example, the time of creationmay be stored in the content of the content unit or may be storedexternally, as metadata associated with the content unit.

Once the creation time of the content unit is determined, the processcontinues to act 1505, where it is determined whether the content unitwas created before the replication policy was instituted. If it isdetermined that the content unit was not created before the replicationpolicy was instituted, then the process continues to act 1511, where thereplication policy is accessed to determine which cluster in the backupstorage environment the policy specifies as the replication target forthe content unit. The process continues to act 1513, where a search isperformed on the cluster in the backup storage environment identified inact 1511 to determine if the previously-replicated copy of the contentunit is stored on that cluster. If the content unit is stored on thatcluster, the process continues to act 1515, where the replication isperformed to the cluster in the backup storage environment that alreadystores the content unit (i.e., so that the modified content unitreplaces the previously-replicated copy). If, at act 1513, it isdetermined that the content unit is not stored on the cluster identifiedin act 1511, the process continues to act 1507, where a search for thecontent unit is performed on each cluster in the backup storageenvironment. The process next continues to act 1509, where it isdetermined if, as a result of the search performed in act 1507, thecontent unit was found on one of the clusters. If the content unit wasnot found, then the process continues to act 1517, where an error isreturned. If the content unit was found, then the process continues toact 1515, where the replication is performed to the cluster in thebackup storage environment that already stores the content unit (i.e.,so that the modified content unit replaces the previously-replicatedcopy).

If, at act 1505, it is determined that the content unit was createdbefore the replication policy was instituted. the process proceeds toact 1507, where a search for the content unit is performed on eachcluster in the backup storage environment. The process next continues toact 1509, where it is determined if, as a result of the search performedin act 1507, the content unit was found on one of the clusters. If thecontent unit was not found, then the process continues to act 1517,where an error is returned. If the content unit was found, then theprocess continues to act 1515, where the replication is performed to thecluster in the backup storage environment that already stores thecontent unit (i.e., so that the modified content unit replaces thepreviously-replicated copy).

IV. Additional Information

The storage clusters and host computers described above may beimplemented in any suitable way. In embodiments in which a storagecluster is a distributed storage system, each node may be implemented asa computer. In embodiments in which a storage cluster is notdistributed, the storage cluster itself may be implemented as acomputer. The host computers described above may also each beimplemented as a computer.

FIG. 16 is a block diagram of a computer that may be used, in someembodiments, to implement a storage cluster, node in a storage cluster,or a host computer. As shown in FIG. 16, computer 1601 includes ahardware microprocessor(s) 1603, an input/output (I/O) interface(s)1605, and a memory 1607. Memory 1607 may include any suitable type ofmemory, including one or more storage devices, a system main memory, acache, or any other suitable type of memory. Memory 1607 may store,inter alia, processor executable instructions that are executed bymicroprocessor(s) 1603. Microprocessor(s) 1603 may include one or moregeneral purpose hardware processors and may execute theprocessor-executable instructions stored in memory 1607. I/Ointerface(s) 1605 may be any suitable interface(s) used to receiveinformation from and send information to any entity external to computer1601.

The above-described embodiments of the present invention can beimplemented in any of numerous ways. For example, the embodiments may beimplemented using hardware, software or a combination thereof. Whenimplemented in software, the software code can be executed on anysuitable processor or collection of processors, whether provided in asingle computer or distributed among multiple computers. It should beappreciated that any component or collection of components that performthe functions described above can be generically considered as one ormore controllers that control the above-discussed functions. The one ormore controllers can be implemented in numerous ways, such as withdedicated hardware, or with general purpose hardware (e.g., one or moreprocessors) that is programmed using microcode or software to performthe functions recited above.

In this respect, it should be appreciated that one implementation of theabove-described embodiments comprises at least one computer-readablemedium encoded with a computer program (e.g., a plurality ofinstructions), which, when executed on a processor, performs theabove-discussed functions of these embodiments. As used herein, the termcomputer-readable medium encompasses any computer-readable medium thatcan be considered to be a process, a machine, a manufacture, and/or acomposition of matter, but does not encompass any medium that cannot beconsidered to be a process, a machine, a manufacture, and/or compositionof matter. A computer-readable medium may be, for example, a tangiblemedium on which computer-readable information may be encoded or stored,a storage medium on which computer-readable information may be encodedor stored, and/or a non-transitory medium on which computer-readableinformation may be encoded or stored. Examples of computer-readablemedia include a computer memory (e.g., a ROM, a RAM, a flash memory, orother type of computer memory), a magnetic disc or tape, an opticaldisc, and/or other types of computer-readable media that can beconsidered to be a process, a machine, a manufacture, and/or acomposition of matter.

The computer-readable medium can be transportable such that the programstored thereon can be loaded onto any computer environment resource toimplement the aspects of the present invention discussed herein. Inaddition, it should be appreciated that the reference to a computerprogram which, when executed, performs the above-discussed functions, isnot limited to an application program running on a host computer.Rather, the term computer program is used herein in a generic sense toreference any type of computer code (e.g., software or microcode) thatcan be employed to program a processor to implement the above-discussedaspects of the present invention.

It should be appreciated that in accordance with several embodiments ofthe present invention wherein processes are implemented in a computerreadable medium, the computer implemented processes may, during thecourse of their execution, receive input manually (e.g., from a user).

In various examples described above, content addresses were described toinclude alphabetic characters ‘A’-‘Z’. It should be understood thatthese content addresses were given only as examples, and that contentaddresses may include any alphanumeric character, series of bits, or anyother suitable character, as the invention is not limited in thisrespect.

The phraseology and terminology used herein is for the purpose ofdescription and should not be regarded as limiting. The use of“including,” “comprising,” “having,” “containing”, “involving”, andvariations thereof, is meant to encompass the items listed thereafterand additional items.

Having described several embodiments of the invention in detail, variousmodifications and improvements will readily occur to those skilled inthe art. Such modifications and improvements are intended to be withinthe spirit and scope of the invention. Accordingly, the foregoingdescription is by way of example only, and is not intended as limiting.The invention is limited only as defined by the following claims and theequivalents thereto.

What is claimed is:
 1. A method of accessing a content unit stored in astorage environment that includes a plurality of storage clusters,wherein the content unit is stored on at least two of the plurality ofstorage clusters, the method comprising acts of: receiving a request,from a host computer, to read the content unit, the request identifyingthe content unit via an object identifier assigned to the content unit;causing each of the plurality of storage clusters to perform a searchfor the content unit; determining, based on the searches performed forthe plurality of storage clusters, whether a copy of the content unit tobe read is stored on multiple clusters; receiving, from each of theplurality of storage clusters that stores the content unit, a validityindicator for the content unit; determining, based on the validityindicators, which one of the plurality of storage clusters that storesthe content unit stores a valid version of the content unit; andreturning the valid version of the content unit in response to therequest.
 2. The method of claim 1, wherein the act of receiving, fromeach of the plurality of storage clusters that stores the content unit,the validity indicator for the content unit further comprises: receivingthe content unit from each of the plurality of storage clusters thatstores it; and extracting the validity indicator from the content of thecontent unit received from each of the plurality of storage clusters. 3.The method of claim 2, wherein: the act of causing each of the pluralityof storage clusters to perform a search for the content unit furthercomprises sending a read request for the content unit to each of theplurality of storage clusters; and the content unit is identified in thestorage environment via an object identifier assigned to the contentunit, and the read request identifies the content unit via the objectidentifier.
 4. The method of claim 3, wherein the object identifierassigned to the content unit comprises a content address that isgenerated, at least in part, from at least a portion of the content ofthe content unit.
 5. The method of claim 1, wherein the act ofreceiving, from each of the plurality of storage clusters that storesthe content unit, the validity indicator for the content unit furthercomprises: receiving, from each of the plurality of storage clustersthat stores the content unit, the validity indicator for the contentunit, in response to the read request.
 6. The method of claim 5, whereinthe validity indicator comprises a timestamp value used by each of theplurality of clusters to indicate a time at which the content unit wasfirst stored in the cluster.
 7. At least one non-transitory computerreadable medium encoded with instructions that when executed by one of aplurality of storage clusters in a storage environment, perform a methodcomprising acts of: receiving a request, from a host computer, to readthe content unit, the request identifying the content unit via an objectidentifier assigned to the content unit; causing each of the pluralityof storage clusters to perform a search for the content unit; receiving,from each of the plurality of storage clusters that stores the contentunit, a validity indicator for the content unit; determining, based onthe validity indicators, whether a valid copy of the content unit to beread is stored on more than one of the plurality of clusters;selectively, based on determining that a valid copy of the content unitto be read is stored on more than one of the plurality of clusters,storing an indication for all but one of the more than one of theplurality of clusters, that the content unit to be read is invalid suchthat one of the plurality of storage clusters stores a valid version ofthe content unit; and returning the valid version of the content unit inresponse to the request.
 8. The at least one non-transitory computerreadable medium of claim 7, wherein the act of receiving, from each ofthe plurality of storage clusters that stores the content unit, thevalidity indicator for the content unit further comprises: receiving thecontent unit from each of the plurality of storage clusters that storesit; and extracting the validity indicator from the content of thecontent unit received from each of the plurality of storage clusters. 9.The at least one non-transitory computer readable medium of claim 8,wherein the act of causing each of the plurality of storage clusters toperform a search for the content unit further comprises: sending a readrequest for the content unit to each of the plurality of storageclusters.
 10. The at least one non-transitory computer readable mediumof claim 9, wherein the content unit is identified in the storageenvironment via an object identifier assigned to the content unit, andthe read request identifies the content unit via the object identifier.11. The at least one non-transitory computer readable medium of claim10, wherein the object identifier assigned to the content unit comprisesa content address that is generated, at least in part, from at least aportion of the content of the content unit.
 12. The at least onenon-transitory computer readable medium of claim 9, wherein the act ofreceiving, from each of the plurality of storage clusters that storesthe content unit, the validity indicator for the content unit furthercomprises: receiving, from each of the plurality of storage clustersthat stores the content unit, the validity indicator for the contentunit, in response to the read request.
 13. The at least onenon-transitory computer-readable medium of claim 12, wherein thevalidity indicator comprises a timestamp value used by each of theplurality of clusters to indicate a time at which the content unit wasfirst stored in the cluster.
 14. A computer system that operates as oneof a plurality of storage clusters in a storage environment, the storagecluster comprising: at least one memory that stores processor-executableinstructions for accessing a content unit, wherein the content unit isstored on at least two of the plurality of storage clusters; and atleast one microprocessor, coupled to the at least one memory, thatexecutes the processor-executable instructions to: initiate an operationto modify the content unit; cause each of the plurality of storageclusters to perform a search for the content unit; selectively, based onthe content unit being stored on at least two of the plurality ofstorage clusters: identify, based on the search, the at least twostorage clusters that store the content unit; select one of the at leasttwo of the plurality of storage clusters as storing a valid version ofthe content unit; perform the operation to modify the content unit onthe valid version of the content unit stored by the selected one of theplurality of storage clusters; and store a status content unit on eachof the at least two clusters that does not already store a statuscontent unit for the content unit, wherein the status content unitindicates which of the at least two clusters stores the valid version ofthe content unit.
 15. The computer system of claim 14, wherein the atleast one microprocessor executes the processor-executable instructionsto cause each of the plurality of storage clusters to perform a searchfor the content unit by: sending a read request for the content unit toeach of the plurality of storage clusters.
 16. The computer system ofclaim 15, wherein the content unit is identified in the storageenvironment via an object identifier assigned to the content unit, andthe read request identifies the content unit via the object identifier.17. The computer system of claim 16, wherein the object identifierassigned to the content unit comprises a content address that isgenerated, at least in part, from at least a portion of the content ofthe content unit.
 18. The computer system of claim 14, wherein thestatus content unit on each of the at least two clusters indicates whichof the plurality of clusters store an invalid version of the contentunit.
 19. The computer system of claim 14, wherein the at least onemicroprocessor selects one of the at least two of the plurality ofstorage clusters as storing a valid version of the content unit based,at least in validity information obtained from each of the plurality ofstorage clusters that stores the content unit.
 20. The computer systemof claim 14, wherein the selected one of the at least two of theplurality of storage clusters storing a valid version of the contentunit is selected based on which of the at least two storage clusters hasthe most available storage capacity.